Description
In the Linux kernel, the following vulnerability has been resolved:

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

In vti6_tnl_lookup(), when an exact match for a tunnel fails,
the code falls back to searching for wildcard tunnels:

- Tunnels matching the packet's local address, with any remote address
wildcard remote).

- Tunnels matching the packet's remote address, with any local address
(wildcard local).

However, vti6 stores all these different types of tunnels in the same
hash table (ip6n->tnls_r_l) prone to hash collisions.

The bug is that the fallback search loops in vti6_tnl_lookup() were
missing checks to ensure that the candidate tunnel actually has
a wildcard address.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the vti6_tnl_lookup() routine incorrectly falls back to wildcard tunnels without verifying their wildcard status. This flaw causes hash collisions and can result in packets being matched to the wrong VTI tunnel, potentially leading to misrouting of traffic or denial of service.

Affected Systems

Linux kernel builds that include the unpatched ip6_vti module are affected. All distributions that run such kernel versions require an update to incorporate the fix.

Risk and Exploitability

The CVSS score is not publicly available, and the EPSS score is missing, so the exact exploitation likelihood cannot be quantified. The vulnerability involves internal kernel logic, suggesting that a local or kernel-level attacker would need to craft specific IPv6 packets that trigger the faulty lookup. Because the fix addresses a hash collision bug rather than an obvious privilege escalation path, exposure is likely limited but still warrants prompt patching. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 25, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the vti6_tnl_lookup() fix for the ip6_vti module.
  • Reboot or reload networking services to load the updated kernel module.
  • Verify correct tunnel matching by testing connectivity between expected local and remote addresses on VTI tunnels.
  • If immediate upgrade is not possible, consider disabling unused VTI tunnels or limiting traffic that may trigger the lookup to mitigate risk.

Generated by OpenCVE AI on June 25, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels: - Tunnels matching the packet's local address, with any remote address wildcard remote). - Tunnels matching the packet's remote address, with any local address (wildcard local). However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions. The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.
Title ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:23.177Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53221

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T11:30:06Z

Weaknesses
  • CWE-20

    Improper Input Validation